stealth watch navytechday-2016-03-03

Darrin PierceSecurity CSEMarch 03, 2016

Behavioral Analytics & Detection

2© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

The Modern Cyber Threat


Why Security Matters

Technology Value

Time


BYOD

90%of organizations are not fully aware of all

devices on the network

Social Media

29% of successful breaches

used social media to target the end user

App Stores

138Bapps downloaded worldwide in 2014

ChangingBusiness Models

Dynamic Threat Landscape

Complexityand Fragmentation

Gartner 2013Frost & Sullivan 2014 Cisco Mid-Year Security Report 2014

Security Challenges


of data is stolen inHOURS

60% 62%of breaches remain undiscovered for MONTHS

51%

increase of companies reporting a $10M loss or more in the last 3 YEARS

2015




PWC Global State of Information Survey 2014Verizon Data Breach Report 2013 Verizon Data Breach Report 2013

Security Challenges


Startups Receiving VC funding in last 5 years

1208 $7.3B

Security Vendors for Some Customers

54Demand for

Security Talent

12x




Cisco Annual Security Report 2014CB Insights, Feb. 2015Cisco Research 2014

Security Challenges


• Development of Malware• Exploits: $1000 – $300,000• Mobile Malware: $150• Commercial Malware Dev: $2500

• Other services?• ‘Cleaning Bitcoin’• Selling taxpayer data• Creating fake documents• Sales of Intellectual Property

• Information Sales:• Social Security Number: $1• Bank Account Numbers: $100• Medical Records: $50• Credit Card Numbers: $0.25 - $60• Facebook Account: $1 for 1 account with

15 friends

• Services• DDOS (Boot Services): 7 dollars an hour• Spam Mail: $50 for 500K Emails

It’s cheaper and easier than ever before to be a Cyber Criminal

Economics of Crime


“Control access to the network, limit the threat’s chance of success.”

“A file matches the pattern”

“See the threat and stop it before it gets in.”

Application Control (Next Gen Firewall)

Firewall/VPN

Intrusion Detection & Prevention

Network Access Control / Identity Access Management

Anti-Virus

Public Key Infrastructure / Encryption

“Block, Allow, Encrypt”

“Control the applications, control the threat”

“No key, no access.”

Sandboxing

“Look for new and unknown threats”

History of Security Products


Security Standards


Less than half of security practitioners leverage critical security tools.

Identity Administration and Provisioning

Patching and configuration as defense

Pen-testing

Quarantine malicious applications

43%

35%

39%

55%

Even the Basics Are Not Being Covered

99.9% of the exploited vulnerabilities were compromised more than a year after the CVE was published. - Verizon Data Breach Investigation Report 2015


“Exploits” are not always required:

• I don’t need to deliver an exploit to you all the time to compromise your computers.

• A persistent attacker just needs YOU to run their malicious code.

• Or just steal your password (even better when you give it to them).

Not All Attacks are High Tech


Security Report CardWhy Do Our Security Approaches Keep Failing?• It is not a fair fight• People, Processes, and Technology Issues


Covers the entire Attack ContinuumCollective Security Intelligence

Network-Integrated,Broad Sensor Base,Context sharing and

Automation

Continuous Advanced Threat Protection,

Cloud-Based Security Intelligence

Leading products working together as a system

Built for Scale, Consistent Control, Management

Visibility-Driven Threat-Focused Platform-BasedStrategic Imperatives

BEFOREDiscoverEnforce Harden

AFTERScope

ContainRemediate

Detect Block Defend

DURING

A Security Model with Simple Clear Goals


What would you do differently if you KNEW you were going to be compromised?


Register Workstation

WAN

Data CenterNetwork

PCI

PCI Non-

PCI

Non-PCI

PCI Server Server PCI Solution: Validated by Verizon Business

PCI Device

PCI DeviceSo

urce

Protected AssetsNon-PCI Device

PERMIT DENY

Non-PCI Device PERMITDENY

www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/trustsec_pci_validation.pdf

http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/trustsec_pci_validation.pdf


StealthWatchNetwork Behavioral Analysis for Threat Detection

17© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential17

10.2.2.2port 1024

10.1.1.1port 80

eth0

/1

eth0

/2

Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent

Bytes Sent

TCP Flags

10:20:12.221

eth0/1 10.2.2.2

1024 10.1.1.1

80 TCP 5 1025 SYN,ACK,PSH

10:20:12.871

eth0/2 10.1.1.1

80 10.2.2.2

1024 TCP 17 28712 SYN,ACK,FIN

Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent

Bytes Sent

TCP Flags

10:20:12.221

eth0/1 10.2.2.2

1024 10.1.1.1

80 TCP 5 1025 SYN,ACK,PSH

An Introduction to NetFlow


Router# show flow monitor CYBER-MONITOR cache… IPV4 SOURCE ADDRESS: 192.168.100.100IPV4 DESTINATION ADDRESS: 192.168.20.6TRNS SOURCE PORT: 47321TRNS DESTINATION PORT: 443INTERFACE INPUT: Gi0/0/0IP TOS: 0x00IP PROTOCOL: 6ipv4 next hop address: 192.168.20.6tcp flags: 0x1Ainterface output: Gi0/1.20counter bytes: 1482counter packets: 23timestamp first: 12:33:53.358timestamp last: 12:33:53.370ip dscp: 0x00ip ttl min: 127ip ttl max: 127application name: nbar secure-http…

A single NetFlow Record provides a wealth of information

NetFlow = Visibility


Scaling Visibility: Flow Stitching

10.2.2.2port 1024

10.1.1.1port 80

eth0

/1

eth0

/2

Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025

10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712

Bidirectional Flow Record• Conversation flow record• Allows easy visualization and analysis

Unidirectional Flow Records

Start Time Client IP Client Port Server IPServer Port Proto

Client Bytes Client Pkts

Server Bytes

Server Pkts Interfaces

10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 eth0/1eth0/2


Scaling Visibility: NetFlow Deduplication

Router A

Router B

Router C

10.2.2.2port 1024

10.1.1.1port 80

• Without deduplication• Traffic volume can be misreported• False positives would occur

• Allows for efficient storage of flow data• Necessary for accurate host-level reporting • Does not discard data

Router A: 10.2.2.2:1024 -> 10.1.1.1:80 Router B: 10.2.2.2:1024 -> 10.1.1.1:80 Router C: 10.1.1.1:80 -> 10.2.2.2:1024

Duplicates


StealthWatch + ISE = Better Context, Better Security

pxGrid

Real-time visibility at all network layers• Data Intelligence throughout network• Assets discovery• Network profile• Security policy monitoring• Anomaly detection• Accelerated incident response

Cisco ISEMitigation Action

Context InformationNetFlow

Send contextual data collected from users, devices, and networks to StealthWatch for advanced insights and NetFlow analytics


StealthWatch + ISE = Better Context

• Highly scalable (enterprise class) collection• High compression Long term storage

• Months of data retention

When Who

Where

WhatWho

Security Group

More Context

How


StealthWatch Identity / Device Table:


NetFlow for Dynamic Network AwarenessUnderstand Network Behavior and Establish a Network’s Normal

A Powerful Information Source for Every Network Conversation

• Each and every network conversation over an extended period of time

• Source and destination IP address, IP ports, time, data transferred, and more

• Stored for future analysis

A Critical Tool to Identify a Security Breach

• Identify anomalous activity

• Reconstruct the sequence of events

• Gain forensic evidence and regulatory compliance

• Use NetFlow for full details, NetFlow-Lite for 1/n samples

Achieve pervasive network visibility and security forImproved threat defense and incident response


Sampled NetFlow• Subset of traffic, usually less than 5%, • Gives a snapshot view into network

activity • Similar to reading every 20th word of a

book• Suitable for detecting large scale DDoS

attacks, but not extended, slow attacks

Full NetFlow• All traffic is collected• Provides complete view of all network

activity • Similar to reading every word, page of a

book• Suitable for detecting large scale as well

as extended, slow attacksComplete Visibility is the key and only Cisco can provide

Why Unsampled NetFlow?


Turn the Network into a Security Sensor Grid

InternetAtlanta

San Jose

New York

ASR-1000

Cat6k

UCS withNexus 1000v

ASACat6k

3925 ISR

3560-X

3750-XStack(s)

Cat4kDatacenter

WAN

DMZ

Access

NetFlowNetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlowNetFlow


Network Devices

StealthWatch FlowCollector

StealthWatch Management

Console

NetFlow

Users/Devices

Cisco ISE

NBAR NSEL

StealthWatch Solution Components

StealthWatch FlowSensor

StealthWatch FlowSensor

VE

NetFlow

StealthWatch FlowReplicator

Other tools/collectors


Collect and Process 130 Unique Flow

Statistics

ApplyOver 130

StealthWatchAlgorithms

GenerateAlarms, Alerts,and Reports

Build Profile of 90+ Host Attributes Send SYSLOG,

SNMP, and Emails

Perform Mitigation Action

Display in UI

Mirror Port, SPAN, or Tap

Cisco (NetFlow)

Foundry (sFlow)

GenerateProfile-Enhanced

Alarms, Alerts,and Reports

Store Detailed Log of All Flows

StealthWatch: Functional Overview


Granular Visibility – Down to End User

Gain Context-Aware Security

EVERYTHING must touchthe network

KNOWevery host

RECORD every

conversation

Know what is NORMAL

Be alerted toCHANGE

Quickly respond to THREATS

What elsecan the networktell me?

CompanyNetwork AssessAssess Audit Posture Detect Response Context


StealthWatch for Macro-Level VisibilityFight advanced threats with actionable intelligence and analytics

• Obtain comprehensive, scalable enterprise visibility and security context

• Gain real-time situational awareness of traffic

• Benefit from network segmentation using

Cisco®TrustSec

• Detect and analyze network behavior anomalies

• Easily detect behaviors linked to advanced persistent threats (APTs), insider threats, distributed denial-of-service (DDoS) attacks, and malware

• Collect and analyze holistic network audit trails

• Achieve faster root cause analysis

• Conduct thorough forensic investigations

• Accelerate network troubleshooting and threat mitigation

• Respond quicklyto threats bytaking action to quarantine through

Cisco® Identity Services Engine

• Continuously improve enterprise security posture

Monitor Detect Analyze Respond


What Can StealthWatch Provide Your Organization

• Continuously monitor devices, applications, and users throughout distributed networks

• Aggregate and analyze advanced telemetry to establish a security baseline of your network

• Monitor the entire network and data center to help ensure that there are no policy or network access violations

• Obtain contextual threat intelligence with a historical audit trail of NetFlow data

• Achieve enhanced visibility and context to accelerate threat detection

• Improve incident response and forensic analysis through actionable intelligence

• Isolate the root cause of an incident within seconds for mitigation

Extended Visibility

Policy and Access

Management

Advanced Threat

Protection

Accelerated Response


StealthWatch’s Value to Cisco’s Security andBest-in-Class Portfolio

• Enables detection of threat-based anomalies over time

• Integrates with the network as an enforcer for automated containment

• Accelerates incident response and forensic analysis through actionable intelligence

StealthWatch Enhances Cisco’s Security Everywhere Strategy, Enabling Network Security and Visibility Across the Extended Enterprise

Extended Visibility Accelerated Response

• Turns the entire network into a security sensor to gain broad visibility into all network traffic

• Provides contextual threat intelligence with historic audit trail of NetFlow data

• Enhances network planning, diagnostics, compliance validation, and software-defined segmentation

Network as a Sensor

• Continuously monitors distributed networks from core to access to edge, whether on-premises or in the cloud

• Reduces risk by showing how, when, where, and why users and devices connect to the network

• Aggregates and analyzes advanced telemetry to establish a security baseline of your network


Card Processor

Hacked Server

POS Terminals

ASA Firewall

Private WAN

(trusted)

Credit Card Processor

ASA Firewall

Stores Data CenterU

pdat

es fr

om

POS

Serv

er

HTT

PS

Credit Card Processing HTTPS

Internet

ISR G2 Routers

ISR G2 Routers

Wireless AP

Wireless POS

C3850 Unified Access

Network as a Sensor Host Lock Violation and Suspect Data Loss

Public Intern

etCompromised

Server



Console

Exfiltration of Credit Cards OR Commands from Attacker

Cisco ISE

Command and Collect


StealthWatch within Cisco’s Security Portfolio

StealthWatchDetect breaches and insider threats faster

Accelerate analysisand understanding

of incidents

Discover and monitor traffic baseline for the network

Enable the deployment of granular, software-based

segmentation

StealthWatch

BEFOREDetect Block Defend

DURING AFTERControlEnforce Harden

ScopeContain

Remediate

Attack Continuum

StealthWatch Insider Threat


All Threats Are Insider Threats

With lateral movement of advanced persistent threats,even external attacks eventually become internal threats

95% of all cybercrimeis user-triggered bydisguisedmalicious links

One out of four breaches are caused by malicious insiders

Two out of three breaches exploit weak

or stolen passwords


Identifying Insider ThreatsAccording to the Ponemon Institute, “Over reliance on A/V and IDS solutions has weakened the collective security posture, as these solutions cannot stand up in the face of the advanced threats we now see. New solutions focused on network and traffic intelligence are seen as the best way to combat advanced threats, and much broader adoption is required.”

According to Forrester, “Today, information security success is no longer defined by preventing attacks, but instead how quickly organizations can detect and contain breaches.”


The “Kill Chain”


NetFlow – The Heart of Network as a SensorNetFlow in Action: As an Attack Progresses

Breach Stages DetectionVulnerability ExplorationAttacker Scans IP Addresses and Ports to Explore Vulnerabilities (OS, User, App.)

1 NetFlow Can Detect on Scans Across IP Address Ranges NetFlow Can Detect on Scans Down IP Ports on Every

IP Address

Install Malware on 1st HostAttacker Installs Software to Gain Access 2 NetFlow Can Detect on Inbound Admin Traffic From an

Unexpected Location

Connection to “Command and Control”Malware Creates Outbound Connection With C&C System for Further Instructions

3 NetFlow Can Detect Outbound Connections to Known C&C IP Addresses

Spreading Malware to Other HostsAttack Other Systems on the Intranet Through Vulnerability Exploitation

4 NetFlow Can Detect Scans Across IP Address Ranges

by Internal Hosts NetFlow Can Detect Scans Down IP Ports on Every IP

Address by Internal Hosts

Data ExfiltrationExport Data to a 3rd Party Server5

NetFlow Can Detect Extended Flows (HTTP, FTP, GETMAIL, MAPIGET and More) and Data Transfer to New External Hosts


Identifying Insider Threats

Context Aware Security Analytics for Threat Detection

StealthWatch

Unauthorized Access

Policy Violations

Internal Reconnaissance

Target Data Hoarding

Suspect Data Hoarding

Suspect Data Loss

StealthWatch and the Cisco Secure Data Center Solution


Time- consuming

provisioning

Data Center is a Challenging Environment

Complexdata flows

Unpredictable data volume


Sacrifice Security to Gain Performance

Incomplete security coverage

Inconsistent levels of security

Compromised configuration

Proliferating user access


Data Centers Require Specialized Security

Standard edge security Data center security

Sees symmetric traffic only

Scales statically for predictable data volume, limited by edge data connection

Monitors ingress and egress traffic

Deployed typically as a physical appliance

Deploys in days or weeks

Requires asymmetric traffic management

Must scale dynamically to secure high volume data bursts

Needs to secure intra-data-center trafficRequires both a physical and virtual solution

Must deploy in hours or minutes


Attackers with Credentials

Visibility Challenges in the Data Center

Evasive Modern Attacks

Create scaling issues for packetinspectors

Slow moving threats result in more difficult detection

Compromised credentials gainaccess to privileged resources

High Traffic Volume


Threat Defense

Lancope for Secure Data Center

Segmentation• Establish boundaries: network, compute, virtual• Enforce policy by functions, devices, organizations, compliance• Control and prevent unauthorized access to networks,

resources, applications

• Stop internal and external attacks and interruption of services

• Patrol zone and edge boundaries• Control information access and usage, prevent data loss

Visibility• Provide transparency to usage• Apply business context to network activity • Simplify operations and compliance reporting


Lancope StealthWatch SystemNetwork Reconnaissance Using Dynamic NetFlow Analysis

Monitor Detect Analyze Respond

Understand your network and data center normal

Gain real-time situational awareness of all traffic

Leverage Network Behavior Anomaly detection & analytics

Detect behaviors linked to APTs, insider threats, DDoS, and malware

Collect & Analyze holistic network audit trails

Achieve faster root cause analysis to conduct thorough forensic investigations

Accelerate network troubleshooting & threat mitigation

Respond quickly to threats by taking action to quarantine through Cisco ISE


Nexus 7000



Console

https

NetFlowSteatlhWatch FlowSensor

Cisco ASA

SPAN

Lancope in The Data Center

Nexus 1000v

Cisco UCS

NetFlow Enabled Device


Massively ScalableStealthWatch architecture

StealthWatch Management Console

UDP DirectorFlowSensorFirewall, Routers,and ASA

FlowCollector

SLIC Threat FeedStealthWatchIDentity

Cisco ISE

Aggregate up to 25 FlowCollectors Up to 6 million flows per second Integration with third-party security / network

tools

Visibility and Management

Aggregation, Analytics, and

Context

Store and analyze up to 4,000 sources at up to 240,000 sustained flows per second

Identity, device, reputation, threat, proxy, and application feeds provide threat context

Continuous packet capture

Exporters / Transactional

Monitors

Network telemetry data is generated by: Switches, routers, firewalls FlowSensors in areas without flow support Support up to 20 Gbps throughout per

sensor

PacketWatch

ProxyWatch

StealthWatch Management Center


Network SummaryNetwork Summary• Understand what

applications are running within any given network segment

• Monitoring the trend of traffic flow to identify anomalies

• Report on who is transferring the most data

• Report on where the data is going to/from the Internet


Network Alert Data Alert Data• Summarize the security

event data to detect suspicious hosts

• Top Concerning Hosts – reputation scoring of suspect host behavior

• Top Scanning Hosts – view any internal recon activity

• Top Source of Alarms – aggregate multiple alarm conditions to find suspect behavior

• Top Target of Alarms – aggregate multiple alarm conditions to find target hosts


Network Audit Report

Host Audit Report• Have complete visibility into

any host communicating within any given segment

• This report may be applied to any logical network segment or group


Behavior Based Analysis


Behavior-Based Attack DetectionHigh Concern Index indicates a significant

number of suspicious events that deviate from established baselines


StealthWatch: Alarms

56

Alarms• Indicate significant behavior changes and policy violations• Known and unknown attacks generate alarms• Activity that falls outside the baseline, acceptable behavior

or established policies


StealthWatch + ISE = Adaptive Network Control

Quarantine/Unquarantine via pxGrid

Identity Services Engine


Console

StealthWatch Summary


NetFlow – The Heart of Network as a SensorExample: NetFlow Alerts With Cisco StealthWatch

Denial of ServiceSYN Half Open; ICMP/UDP/Port Flood

Worm PropagationWorm Infected Host Scans and Connects to the Same Port Across Multiple Subnets, Other Hosts Imitate the Same Above Behavior

Fragmentation AttackHost Sending Abnormal # Malformed Fragments.

Botnet DetectionWhen Inside Host Talks to Outside C&C Server

for an Extended Period of Time

Host Reputation ChangeInside Host Potentially Compromised or

Received Abnormal Scans or Other Malicious Attacks

Network ScanningTCP, UDP, Port Scanning Across Multiple Hosts

Data ExfiltrationLarge Outbound File Transfer VS. Baseline


StealthWatch Provides

Superior forensic investigation

Extensive network behavior anomaly detection

Deep, granular visibility into all traffic


What Can the Network Do for You? Network as Sensor

Detect Anomalous Traffic Flows, Malwaree.g. Communication with Malicious Hosts, Internal Malware Propagation, Data Exfiltration

Detect App Usage, User Access Policy Violationse.g. Maintenance Contractor Accessing Financial Data

Detect Rogue Devices, APs and Moree.g. Maintenance Contractor Connecting an Unauthorized AP in Bank Branch to Breach


What Can the Network Do for You? Network as an Enforcer

Decrease Time to Remediatione.g. SourceFire Integration for Network-Wide Rapid Threat Detection and Mitigation

Automate Configuration and Provisioninge.g. ACL, QoS, and Secure Branch Automation

Enable Open, Programmable Network Abstractione.g. RESTful API Integration, CLI Hardware Compatibility

For More Info


StealthWatch & Cisco Validated DesignsCisco Cyber Threat Defense v2.0http://www.cisco.com/c/en/us/support/security/cyber-threat-defense-2-0/model.html

http://www.cisco.com/c/en/us/support/security/cyber-threat-defense-2-0/model.html

http://www.cisco.com/c/en/us/support/security/cyber-threat-defense-2-0/model.html


Links:

www.cisco.com/go/cvdwww.cisco.com/go/stealthwatchhttps://www.youtube.com/user/LancopeStealthWatch

http://www.cisco.com/go/cvd

http://www.cisco.com/go/stealthwatch

https://www.youtube.com/user/LancopeStealthWatch

https://www.youtube.com/user/LancopeStealthWatch